def test_machine_exploited(current_monkey, exploit_successful, exploiter, target_ip, timestamp):
events = [
Event.create_event(
title="Exploit attempt",
message="Monkey on {} attempted to exploit {} using {}.".format(
current_monkey.hostname,
target_ip,
exploiter),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=timestamp
)
]
status = zero_trust_consts.STATUS_PASSED
if exploit_successful:
events.append(
Event.create_event(
title="Exploit success!",
message="Monkey on {} successfully exploited {} using {}.".format(
current_monkey.hostname,
target_ip,
exploiter),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=timestamp)
)
status = zero_trust_consts.STATUS_FAILED
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_MACHINE_EXPLOITED,
status=status,
events=events
)
add_malicious_activity_to_timeline(events)
def test_create_or_add_to_existing_2_tests_already_exist(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
test = zero_trust_consts.TEST_MALICIOUS_ACTIVITY_TIMELINE
status = zero_trust_consts.STATUS_VERIFY
event = Event.create_event("t", "t",
zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
events = [event]
self.assertEqual(len(Finding.objects(test=test, status=status)), 0)
Finding.save_finding(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 1)
self.assertEqual(
len(Finding.objects(test=test, status=status)[0].events), 1)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 1)
self.assertEqual(
len(Finding.objects(test=test, status=status)[0].events), 2)
Finding.save_finding(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 2)
with self.assertRaises(AssertionError):
AggregateFinding.create_or_add_to_existing(test, status, events)
def test_antivirus_existence(process_list_json, monkey_guid):
current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid)
process_list_event = Event.create_event(
title="Process list",
message="Monkey on {} scanned the process list".format(
current_monkey.hostname),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL)
events = [process_list_event]
av_processes = filter_av_processes(process_list_json["process_list"])
for process in av_processes:
events.append(
Event.create_event(
title="Found AV process",
message=
"The process '{}' was recognized as an Anti Virus process. Process "
"details: {}".format(process[1]['name'],
json.dumps(process[1])),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL))
if len(av_processes) > 0:
test_status = zero_trust_consts.STATUS_PASSED
else:
test_status = zero_trust_consts.STATUS_FAILED
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
status=test_status,
events=events)
def test_open_data_endpoints(telemetry_json):
services = telemetry_json["data"]["machine"]["services"]
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
found_http_server_status = zero_trust_consts.STATUS_PASSED
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
events = [
Event.create_event(
title="Scan Telemetry",
message="Monkey on {} tried to perform a network scan, the target was {}.".format(
current_monkey.hostname,
telemetry_json["data"]["machine"]["ip_addr"]),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=telemetry_json["timestamp"]
)
]
for service_name, service_data in list(services.items()):
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Scanned service: {}.".format(service_name),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name in HTTP_SERVERS_SERVICES_NAMES:
found_http_server_status = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name == ES_SERVICE:
found_elastic_search_server = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
status=found_http_server_status,
events=events
)
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC,
status=found_elastic_search_server,
events=events
)
add_malicious_activity_to_timeline(events)
def test_new_user_communication(current_monkey, success, message):
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
# If the monkey succeeded to create a user, then the test failed.
status=zero_trust_consts.STATUS_FAILED
if success else zero_trust_consts.STATUS_PASSED,
events=[
get_attempt_event(current_monkey),
get_result_event(current_monkey, message, success)
])
def test_create_or_add_to_existing(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
test = TEST_MALICIOUS_ACTIVITY_TIMELINE
status = STATUS_VERIFY
events = [Event.create_event("t", "t", EVENT_TYPE_MONKEY_NETWORK)]
self.assertEquals(len(Finding.objects(test=test, status=status)), 0)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEquals(len(Finding.objects(test=test, status=status)), 1)
self.assertEquals(
len(Finding.objects(test=test, status=status)[0].events), 1)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEquals(len(Finding.objects(test=test, status=status)), 1)
self.assertEquals(
len(Finding.objects(test=test, status=status)[0].events), 2)
def test_tunneling_violation(tunnel_telemetry_json):
if tunnel_telemetry_json['data']['proxy'] is not None:
# Monkey is tunneling, create findings
tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(
tunnel_telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
tunnel_telemetry_json['monkey_guid'])
tunneling_events = [
Event.create_event(
title="Tunneling event",
message="Monkey on {hostname} tunneled traffic through {proxy}."
.format(hostname=current_monkey.hostname,
proxy=tunnel_host_ip),
event_type=EVENT_TYPE_MONKEY_NETWORK,
timestamp=tunnel_telemetry_json['timestamp'])
]
AggregateFinding.create_or_add_to_existing(test=TEST_TUNNELING,
status=STATUS_FAILED,
events=tunneling_events)
add_malicious_activity_to_timeline(tunneling_events)